Test for internal TLS certificate rotation #15217
Conversation
knative-prow
bot
added
the
size/L
|
/hold |
knative-prow
bot
added
the
do-not-merge/hold
|
/unhold |
knative-prow
bot
removed
the
do-not-merge/hold
|
The test fails with: @ReToCode I suppose the certificates might not be properly reloaded yet after deleting the |
|
The test passed when I added waiting for ca.crt in routing-serving-certs. Will try again during reviews. |
mgencur
force-pushed
the
certificate_rotation_test
branch
from
d20e8fa
to
b26a59d
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #15217 +/- ##
==========================================
- Coverage 84.78% 84.74% -0.04%
==========================================
Files 218 218
Lines 13479 13479
==========================================
- Hits 11428 11423 -5
- Misses 1685 1687 +2
- Partials 366 369 +3 ☔ View full report in Codecov by Sentry. |
|
@ReToCode this is ready for another review. |
knative-prow
bot
added
lgtm
|
/override "style / suggester / shell" |
|
@ReToCode: ReToCode unauthorized: /override is restricted to Repo administrators. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@dprotaso mind overriding the shell-check? IMHO, this should be in a separate PR, as only the time changed in this one. |
knative-prow-robot
added
the
needs-rebase
The original intention was to skip the cleanup only when the test fail, not always. This was missed in the original PR that introduced the flag.
This is to properly expand the variables when passing to tests and to pass shellcheck.
mgencur
force-pushed
the
certificate_rotation_test
branch
from
f79af1d
to
7e3df10
Compare
knative-prow-robot
removed
the
needs-rebase
|
/lgtm |
|
@ReToCode Hmm. The latest error looks genuine: So, after deleting the old cert from the trust-bundle there's an error with TLS. Any idea why this could happen? |
+1, yes that could take a while to fully complete. Makes not much sense to wait for that in an e2e test. |
The cert rotation might not be fully complete yet. This also adds a little randomness to the test.
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mgencur, ReToCode The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
IMHO, we can skip certmanager-integration-tests_serving_main, as per #15261 |
|
/override "certmanager-integration-tests_serving_main" |
|
@dprotaso: Overrode contexts on behalf of dprotaso: certmanager-integration-tests_serving_main In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@mgencur: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
* TestTLSCertificateRotation * Use SkipCleanupOnFail only when the test fails The original intention was to skip the cleanup only when the test fail, not always. This was missed in the original PR that introduced the flag. * Use default poll interval and timeout * Fix lint * Make function GetCASecret return the secret also for internal encryption * Move WaitForLog to e2e package to prevent "redefined flag" * Wait for 2 occurrences of cert reload It is loaded at the beginning and then after re-creating the serving-certs secret during the test. * Increase timeout for systeminternaltls tests to 4m * Wait for CA cert to be re-created in routing-serving-certs before checking state * The test usually takes around 120 seconds * Rename waitForCaCert to waitForCACertSecret * Fix lint * Use new ClusterIssuer for testing certificate rotation Also, do not rely on ca.crt to be in routing-serving-certs. We rely solely on the trust-bundle ConfigMap. * Actually rename the new issuer * Run ./hack/update-codegen.sh * Create const for name of renewed issuer * Fixes * Update test * Revert "Use new ClusterIssuer for testing certificate rotation" * Fix lint and deps * Use arrays for GO_TEST_FLAGS and E2E_TEST_FLAGS This is to properly expand the variables when passing to tests and to pass shellcheck. * One more fix for shellcheck * Add missing bracket * Do NOT delete old cert from trust-bundle ConfigMap The cert rotation might not be fully complete yet. This also adds a little randomness to the test. (cherry picked from commit b15ce9a)
* TestTLSCertificateRotation * Use SkipCleanupOnFail only when the test fails The original intention was to skip the cleanup only when the test fail, not always. This was missed in the original PR that introduced the flag. * Use default poll interval and timeout * Fix lint * Make function GetCASecret return the secret also for internal encryption * Move WaitForLog to e2e package to prevent "redefined flag" * Wait for 2 occurrences of cert reload It is loaded at the beginning and then after re-creating the serving-certs secret during the test. * Increase timeout for systeminternaltls tests to 4m * Wait for CA cert to be re-created in routing-serving-certs before checking state * The test usually takes around 120 seconds * Rename waitForCaCert to waitForCACertSecret * Fix lint * Use new ClusterIssuer for testing certificate rotation Also, do not rely on ca.crt to be in routing-serving-certs. We rely solely on the trust-bundle ConfigMap. * Actually rename the new issuer * Run ./hack/update-codegen.sh * Create const for name of renewed issuer * Fixes * Update test * Revert "Use new ClusterIssuer for testing certificate rotation" * Fix lint and deps * Use arrays for GO_TEST_FLAGS and E2E_TEST_FLAGS This is to properly expand the variables when passing to tests and to pass shellcheck. * One more fix for shellcheck * Add missing bracket * Do NOT delete old cert from trust-bundle ConfigMap The cert rotation might not be fully complete yet. This also adds a little randomness to the test. (cherry picked from commit b15ce9a) Co-authored-by: Martin Gencur <mgencur@redhat.com>
Add test for TLS certificate rotation
Proposed Changes
scanPodLogsas a more versatileWaitForLogthat can wait for a given condition.ServingFlags.SkipCleanupOnFail. The cleanup should really be skipped only if the test fails. This was missed during reviews on the original PRgetCertManagerCAnow also waits for the Secret to exist rather than failing immediatelyRelease Note